Context Aware Access (CAA)
Context Aware Access (CAA)
Embedded Files
App access based on user context
App access based on user context
To facilitate easier user access, while at the same time protecting the security of data, Google has developed context-aware access. This provides granular controls for Google Workspace apps, based on a user’s identity and context of the request (such as device security status or IP address). Based on the BeyondCorp security model developed by Google, users can access web applications and infrastructure resources from virtually any device, anywhere, without utilising remote-access VPN gateways while administrators can establish controls over the device. You can also still set access policies, such as 2-Step Verification, for all members of an organizational unit or group.
Setting up Endpoint Verification
Setting up Endpoint Verification
Download the Endpoint Verification extension from the Chrome Web Store
Alternatively, administrators can force-install by:
Click on devices > Chrome > Apps & Extensions > Users & Browsers
Click on the yellow “Plus” symbol on the bottom right and select chrome web store
Search for callobklhcbilhphinckomhgkigmfocg
Click on select
Click on “Endpoint Verification” to configure it
Tick the boxes for “allow access to keys” and “allow enterprise challenge” and save the changes
Click on the drop-down arrow beside the word “allow install” and select the option to “force install”
Save changes
Create Access Level
Create Access Level
Admins can create Access levels that define the context within which users can access apps
Access levels combine conditions and values that define a user or device context.
Click on security > Context aware access > create new access level
Define name, description and conditions for access level
Click “create access level”
Assign access Level to the apps
Assign access Level to the apps
After creating Access Levels, admins can assign apps to access levels to restrict users’ access only to certain permitted apps
Click on security > Context aware access > assign access levels
Tick the boxes for apps you want to assign
Click on “assign” > tick the access level you want to assign it to
Save changes
Customize User messages
Customize User messages
Admins can customize the messages that users see when an app is restricted; providing more information on next steps should the user vehemently require access
Click on security > Context aware access > user message
Type your new desired user message
You can choose to preview the message which shows you what users will see when they access an app that is being blocked by CAA policies
Save changes
Enabling CAA for sample apps
Enabling CAA for sample apps
Admins can enable CAA for Third party SAML apps that use Google as the identity provider. A third party identity provider (IdP) can also be used (third party IdP federates to Google Cloud Identity and Google Cloud Identity federates to SAML apps)
However, admins can’t enforce Context-Aware policies on:
Mobile apps, such as the Gmail app or the Apple Mail app
Desktop apps, such as Drive for desktop
Same steps as assigning apps to access levels, only admins must make sure that they have a sample app that fulfils the conditions above.
Page updated
Report abuse